Tell HN: Apple Pay works in non-Safari browsers in iOS 16 Beta 3
I was just poking around on a Shopify store on my Firefox browser and saw Apple Pay button showed up, first thought it's a front-end bug on the website but tapped on it and the widget slid up and you can legibly make the purchase!
Tried on Chrome too and it worked there too!
Tried a few other website and can confirm it works everywhere Apple Pay is offered. is it a feature? bug?
Wanna try it yourself? you can check this Stripe test page https://stripe.com/docs/stripe-js/elements/payment-request-b...
Haven't installed Beta 4 yet to see if it is still working.
116 comments
[ 2.6 ms ] story [ 168 ms ] thread[0]: https://webkit.org/blog/8182/introducing-the-payment-request...
[1]: https://developer.mozilla.org/en-US/docs/Web/API/Payment_Req...
> Either your browser does not support the Payment Request API, or you do not have a saved payment method. To try out the Payment Request Button live demo, switch to one of the supported browsers below, and make sure you have a saved payment method.
EDIT: Which they’re not, per above.
But this would mean you could use ApplePay from the current FireFox app.
The section on “Apple’s Open Source Claim” in this blog post [1] goes into a lot more detail on the relationship between Safari, WebKit, and the Chrome/Chromium rendering engine.
[1] https://infrequently.org/2021/08/webkit-ios-deep-dive/
I just wish it'd work on Firefox on my Mac. If not that, I'd love a popup that told me the page supports Apple Pay, so I can checkout with Safari instead.
Firefox, Chrome, anything Apple will allow is just Safari in a different costume.
Engine just makes the car move, everything else defines it. Same with browsers on iOS. Also saying Chrome and Safari on iOS are same browsers because they share WebKit is like saying Edge and Vivaldi are same browsers because they share Blink (they share much more, but still they are very different).
It's like using a winforms webbrowser control in .NET and giving the window a title with your own brand name.
I want something that syncs to all my devices and supports extensions on all my devices.
TBH not allowing safari extensions to work in non-safari browsers felt almost anticompetitive, but I do recognize that there are some UI challenges to solve. Apple Pay was the other big feature I was missing out on.
As a short summary, here are some of the new EU requirements on gatekeepers such as Apple.
Gatekeepers must:
- Allow users to install apps from third-party app stores and sideload directly from the internet.
- Allow developers to offer third-party payment systems in apps and promote offers outside the gatekeeper's platforms.
- Allow developers to integrate their apps and digital services directly with those belonging to a gatekeeper. This includes making messaging, voice-calling, and video-calling services interoperable with third-party services upon request.
- Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."
- Ensure that all apps are uninstallable and give users the ability to unsubscribe from core platform services under similar conditions to subscription.
- Give users the option to change the default voice assistant to a third-party option.
- Share data and metrics with developers and competitors, including marketing and advertising performance data.
Gatekeepers may no longer:
- Pre-install certain software applications and require users to use any important default software services such as web browsers.
- Require app developers to use certain services or frameworks, including browser engines, payment systems, and identity providers, to be listed in app stores.
- Give their own products, apps, or services preferential treatment or rank them higher than those of others.
- Reuse private data collected during a service for the purposes of another service.
- Establish unfair conditions for business users.
Here comes the Meta App Store to bypass all iOS privacy protections :(
I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.
Here comes F-Droid to further enhance iOS with privacy respecting applications
It's still a nonsensical fear, but that would be the reason.
I also strongly suspect that one of those apps would be WhatsApp, which is an app that a not-insignificant portion of the world uses to communicate. Unfortunately, I don't have a choice in what apps my family around the world uses, so I'm stuck with WhatsApp. The choice for me would either be to cut contact with dozens of family members, or enable the Meta App Store.
My hope is that if Apple is forced to allow 3rd-party app stores, they'll make it possible to even more strictly sandbox apps from those stores somehow.
Without certain forms of review, it's much easier for apps to exploit weaknesses (whether in the OS, frameworks, the user, etc.), and I can't imagine that Meta would self-regulate any more than they are forced to now. Their apps and SDKs already hoover up as much data as the system will silently allow, but I'd rather not be forced to expand my device to them, if possible.
We shouldn't let Meta take advantage of regulations towards Apple. We should use it as an opportunity to write more regulation of both of these entities for the purpose of serving the end user.
What solutions do you propose?
whether they stonewall oss clients with attestation for 'security' remains to be seen
> Here comes the Meta App Store to bypass all iOS privacy protections :(
> I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.
> - Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."
> Here comes the Meta App Store to bypass all iOS privacy protections :(
> I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.
i value choice. no one is forcing you to download meta
Remember the original Android permission model of "an app gets every permission it wants or you can't install it"? That's where this is heading.
Google can’t stop malware on android
Microsoft can’t stop malware on android
What makes you think Apple will be able to stop malware on iOS?
For example, the OS can enforce that an app can't use the camera without the user clicking "allow" on an OS-managed pop-up.
Like on Windows, macOS and Android it’ll be crucial for users to avoid installing executables from the web. and like Android, users also have to be trained to only install apps from ethical software repositories that respect user privacy and security. This is the best case scenario for privacy/security, and essentially the status quo for Android.
For better or for worse, the days of iOS users installing any and all available applications without worrying about malware is over. Users will get more freedom, but they’ll have to take more responsibility when vetting and running third party apps. I don’t know how a notoriously novice user base will react to that, but we shall see.
It's also very different from how iOS and Android heavily restrict what each app can do, hiding most things you might want to do behind permissions. Installing an app is not quite as safe as visiting a web page, but it's very nearly so if you don't agree to any permissions requests.
The most common way for malware to abuse the permissions system is to ask for permissions to do something plausible, or even implausible, and then abuse those permissions to do other things that the user wasn't expecting. For example, a speed dialer might ask for permission to read your contacts, which is quite reasonable for a speed dialer, but then exfiltrate and sell them.
I can see how that would be attractive in some ways. On the other hand, parent's aren't necessarily smarter than anyone else.
"Install this rando app store and get 12¢ off your next gas fill-up!"
No, companies can apply for their own app signing key that allows them to create apps for their own in-house-only uses that completely bypass the App Store.
Facebook used that enterprise signing key to install spyware on user's devices. This had nothing to do with the App Store, and Apple did revoke their signing key as a warning shot.
>“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” the spokesperson said. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
https://www.cnbc.com/2019/01/30/apple-says-facebook-violated...
> that completely bypass the App Store [..] Apple did revoke their signing key
Do you see it yet? There is no "bypassing the App Store". At the end of the day, the root of trust comes back to Apple.
And, of course, they "revoked" it meaning they waited for a week or so and then Facebook had all their enterprise apps back. This isn't the treatment in store for you if you attempted this.
Those apps are not distributed through the App Store.
>Oh wait, that was on the official App store!
Do you see it yet? :oP
But, you know, I can just not install those app stores so it totally won't affect me, right? Thanks guys! /s
https://www.tomsguide.com/news/malware-hits-10-million-andro...
I'm an European and I really don't consider this a plus.
Any provisions to allow sideloading unsigned apps?
Because if you can sideload, but it still needs to be signed by Apple, the whole thing is largely moot.
Perhaps it doesn't go as far as you'd like but it's not moot either.
Do third-party app stores have to pay fees to Apple for each purchase? Can they change the rate from the current 30%? That's what I'm wondering about.
As a data point from an online retailer, we kept seeing a significantly high (I think it was something ridiculous like 30%) drop out at the check out payment screen for all Facebook/Instagram ad customers.
What was happening was they were clicking on ads, coming to our site, going to purchase and then when they reached payment didn’t have access to Apple Pay or there saved card details. The in app browsers have an “open in Safari” button, they were clicking that - so they could use their prefers payment method - and loosing their session and shopping cart. It was catastrophic!
We ultimate fixed the issue with a warning message to customers who are within an IAB.
IABs are bad for advertisers, they only serve to keep users within the social media app.
Anyone with the Beta, I would love to know if either Apple Pay or key chain saved cards are available now in social media IABs.
This is one of the few instances in which Android went to some lengths to provide a good UX. An IAB can transition into the real thing without even re-rendering or blinking - and it has all the user data of the main browser.
More: https://developer.chrome.com/docs/android/custom-tabs/